revengerat | f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6

Analysis

max time kernel
138s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
19-03-2022 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe
Size

3.3MB
MD5

bc1f1927377eef031e6cbfb180b18a9b
SHA1

dee73ea9168423a749de24c00d9c92c7f8720093
SHA256

f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6
SHA512

b37dd0e10014e72540e50c1e8509fd061c393935d2653729704c2e8766a23fe971e790b163b6d63d80f21a96585d12d24d0fb8883628e25ca9ebbb3162a271d4

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

CDS.execrypted.exe

pid process

4472 CDS.exe
2852 crypted.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

CDS.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation CDS.exe
Loads dropped DLL 1 IoCs

Processes:

CDS.exe

pid process

4472 CDS.exe

pid	process
4472	CDS.exe
2852	crypted.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	CDS.exe

pid	process
4472	CDS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CDS.exe

pid process

4472 CDS.exe
4472 CDS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2480 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2480 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CDS.exe

pid process

4472 CDS.exe
4472 CDS.exe

pid	process
4472	CDS.exe
4472	CDS.exe

description	pid	process
Token: 33	2480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2480	AUDIODG.EXE

pid	process
4472	CDS.exe
4472	CDS.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exeCDS.execrypted.exefondue.exe

description	pid	process	target process
PID 4216 wrote to memory of 4472	4216	f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe	CDS.exe
PID 4216 wrote to memory of 4472	4216	f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe	CDS.exe
PID 4216 wrote to memory of 4472	4216	f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe	CDS.exe
PID 4472 wrote to memory of 2852	4472	CDS.exe	crypted.exe
PID 4472 wrote to memory of 2852	4472	CDS.exe	crypted.exe
PID 4472 wrote to memory of 2852	4472	CDS.exe	crypted.exe
PID 2852 wrote to memory of 4124	2852	crypted.exe	fondue.exe
PID 2852 wrote to memory of 4124	2852	crypted.exe	fondue.exe
PID 2852 wrote to memory of 4124	2852	crypted.exe	fondue.exe
PID 4124 wrote to memory of 3288	4124	fondue.exe	FonDUE.EXE
PID 4124 wrote to memory of 3288	4124	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe
"C:\Users\Admin\AppData\Local\Temp\f86e4008b73ce2c5dc4a2093666d2189e854bc5a8f696d3edeb933431a3e4fa6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\fondue.exe
      "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\system32\FonDUE.EXE
        
        "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        5⤵
        
        PID:3288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x4cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5
cc5f5a9fbdf926a14700cd3240f01249

SHA1
fecff1a856e7c3dbc5f2e4581cdfd08ec1509ef4

SHA256
83498d99a97a94b36da86eb1416d34e9ebabd2251673b69ffe1d4fb4233dc6a0

SHA512
4617c76512d8ad074a55c47ca868e6ea3ac4b660c501e6da17c5db68dadef632912f4ad8cd2541e5443c2d8d2746c65e994e45eea8e2f76cc6449b4d39080299

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
6d1d3d57e22ed5cc5ae80313489a11d8

SHA1
400100976dbb97a41f31efcf7e9e535fb10e5c20

SHA256
b4e9e8f3c2787beec62cf354bbd7670f85d8d580d0cc7655fb047fff4ca6b330

SHA512
29a21ae20bce5c5092f5218be2c9357d53736b666750edcf46da54d14abd4ca644b411fbdc2af978251bbe9d243ab55c09b7ed1727094fdb24f1d32a3fbdd8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5
6d1d3d57e22ed5cc5ae80313489a11d8

SHA1
400100976dbb97a41f31efcf7e9e535fb10e5c20

SHA256
b4e9e8f3c2787beec62cf354bbd7670f85d8d580d0cc7655fb047fff4ca6b330

SHA512
29a21ae20bce5c5092f5218be2c9357d53736b666750edcf46da54d14abd4ca644b411fbdc2af978251bbe9d243ab55c09b7ed1727094fdb24f1d32a3fbdd8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit